RedNovember Case Study: AI Defense for Edge Attacks

A Chinese state-sponsored group doesn’t need a custom zero-day to get results. RedNovember (previously TAG-100, overlapping with Storm-2077) has shown that speed and scale can beat complexity—by hunting exposed edge systems right after proof-of-concept (PoC) exploit code goes public.

Recorded Future’s Insikt Group tracked RedNovember’s activity from June 2024 through July 2025, observing targeting and likely compromise across government, defense, aerospace, tech, and even law firms and media. The pattern is familiar: internet-facing gateways (VPNs, firewalls, load balancers, email portals) become the front door, and open-source tooling becomes the toolkit.

This matters for the AI in Defense & National Security conversation because edge-device campaigns are where AI-driven threat intelligence and detection actually shine. When adversaries move quickly—scanning thousands of targets, chaining commodity tooling, and rotating infrastructure—humans can’t keep up without automation.

What RedNovember teaches: edge devices are the new “quiet breach”

Answer first: RedNovember’s campaign shows that perimeter and edge systems are a high-return target because they’re exposed, often under-monitored, and difficult to log well.

RedNovember repeatedly focused on VPNs, firewalls, and externally accessible portals for initial access. Insikt Group observed reconnaissance and likely compromise attempts involving SonicWall, Cisco ASA, F5 BIG-IP, Palo Alto Networks GlobalProtect, Sophos SSL VPN, Fortinet FortiGate, Outlook Web Access (OWA), and Ivanti Connect Secure (ICS).

If you run security for a government agency, defense contractor, or aerospace supplier, this should feel uncomfortably close to home. Edge stacks are messy:

• Patching is constrained by uptime and change windows.
• Ownership is split (network team, IT, security, vendors).
• Visibility is inconsistent (limited telemetry, inconsistent syslog, weak EDR coverage).

Here’s the uncomfortable stance: “We have MFA” isn’t a perimeter strategy. If the box is vulnerable, the attacker may never need to authenticate.

Why this wave looks different from “classic APT”

Answer first: RedNovember blends state-level intent with commodity execution—open-source implants and widely used frameworks—making detection noisier and attribution harder.

Rather than relying only on bespoke malware, RedNovember used:

• Pantegana (Go-based backdoor/C2 framework)
• Cobalt Strike (widely abused post-exploitation framework)
• SparkRAT (open-source remote access tool)
• LESLIELOADER to load payloads in memory

That combination creates a practical problem for defenders: a Cobalt Strike beacon doesn’t “look Chinese” on its own. A Go backdoor isn’t unique by default. Your advantage comes from correlation: infrastructure overlap, timing, victimology, and repeated technique sequences. That’s exactly where AI-assisted threat intelligence earns its keep.

The campaign pattern: PoC drops, scanning surges, compromises follow

Answer first: RedNovember repeatedly surged activity soon after public PoCs appeared, turning public exploit research into operational access at scale.

Insikt Group described a recurring behavior: RedNovember increases targeting of specific edge products after vulnerabilities and PoCs are published. A clear example was activity around Check Point VPN gateway CVE-2024-24919 shortly after a PoC was released, with outbound communications to gateways linked to at least 60 organizations.

They also documented a focused campaign in April 2025 against Ivanti Connect Secure (ICS) devices across multiple countries, with targets reportedly including a major US newspaper and specialized US engineering/military organizations.

This is the operational reality you have to design for:

1. Vulnerability disclosure happens.
2. PoC hits public channels.
3. Scanning ramps in hours/days.
4. Exploitation attempts start before many orgs can patch.

A snippet-worthy way to say it:

Public PoC code compresses your patch window from weeks to days—sometimes to hours.

Why AI matters specifically in the PoC-to-exploitation window

Answer first: AI helps you prioritize what to fix and what to watch when time is the scarce resource.

Most security teams don’t fail because they don’t know they should patch. They fail because they can’t answer, quickly:

• Which of our edge assets are exposed right now?
• Which ones map to exploited-in-the-wild vulnerabilities?
• Which exploit attempts are targeting our exact version/config?
• Which “weird” outbound connections correlate to known adversary infrastructure?

AI-driven threat intelligence can automate the first-pass triage by fusing:

• External exposure data (attack surface)
• Vulnerability intelligence (exploited-in-the-wild signals)
• Infrastructure tracking (C2 IPs/domains, hosting patterns)
• Telemetry correlation (proxy/DNS/firewall logs + detection signals)

The goal isn’t to replace analysts. It’s to stop wasting analyst time on the wrong 80%.

Victimology that tracks geopolitics (and procurement realities)

Answer first: RedNovember’s targeting aligns with strategic intelligence priorities—defense, diplomacy, semiconductors, and regional influence—while still dipping into opportunistic access.

Insikt Group observed targeting and likely compromise across government and private sector organizations globally, with concentration in aerospace and defense, government, and professional services.

Some highlights from the reported victimology:

• Government and diplomatic entities: ministries of foreign affairs, intergovernmental bodies, and government directorates.
• Taiwan: activity near a location tied to a Taiwan Air Force base and semiconductor R&D, in proximity to China’s military exercises.
• Panama: reconnaissance against 30+ Panamanian government organizations in April 2025, close to major geopolitical friction around the canal.
• Defense industrial base (DIB): at least two likely US defense contractors impacted, plus broader recon campaigns.
• Law firms and media: targets included a US law firm and a major US newspaper (as part of the ICS wave).

Two practical implications for defense and national security teams:

1. Your vendors are part of your threat model. Engine manufacturers, cable harness suppliers, and niche engineering firms show up because supply chain adjacency is valuable.
2. “Non-military” targets still matter. Law firms and media aren’t random; they’re intelligence collection opportunities.

The edge stack is now part of national security posture

Answer first: For government and defense, perimeter resilience is not just IT hygiene—it’s operational risk management.

If your mission depends on partner networks, research institutions, logistics, or comms, then edge compromise becomes a way to:

• map relationships (who connects to what)
• harvest credentials and email access
• stage for later operations
• collect sensitive negotiating, procurement, or legal data

In this series, we’ve talked about AI for intelligence analysis and mission planning. Cyber is the same story: faster sense-making wins.

A practical AI-driven playbook to blunt RedNovember-style intrusions

Answer first: You reduce risk fastest by combining exposure management, exploit-informed patching, and AI-assisted detection focused on edge telemetry.

Here’s what works in practice when you’re defending high-value sectors.

1) Build an “edge asset truth” and keep it current

Your first failure point is usually inventory. Create a living map of:

• all internet-facing VPN/firewall/load balancer/email portals
• versions, plugins/modules, and management interfaces
• geo and hosting details (on-prem vs cloud)
• ownership and patch authority

AI helps by continuously reconciling data from scanners, CMDB, cloud APIs, and passive DNS/exposure feeds so the list doesn’t rot the moment you publish it.

2) Patch by adversary behavior, not by CVSS score

RedNovember demonstrates why “high severity” isn’t always “highest risk.” What matters is:

• exploited in the wild
• public PoC availability
• edge exposure and reachability
• observed scanning volume against your sector

A simple operating rule I like:

If an edge RCE has a public PoC, treat it like an active incident until proven otherwise.

3) Detect the sequence, not just the signature

Commodity tooling means signatures alone will disappoint you. Aim detection around behavior chains, such as:

1. unusual requests to VPN/web portal endpoints
2. suspicious new admin sessions or config changes
3. outbound connections from edge devices to uncommon destinations
4. follow-on lateral movement attempts

AI can score these sequences across noisy logs and highlight the clusters that match known tradecraft (like repeated infrastructure reuse, timing patterns, and protocol choices).

4) Treat C2 infrastructure as a moving target and automate blocks carefully

Insikt Group published indicators tied to RedNovember infrastructure, including domains that typosquat “office” (for example, subdomains containing “offiec”) and multiple C2 IPs.

Your goal isn’t to rely on static blocklists forever—attackers rotate. Your goal is to:

• ingest fresh infrastructure intel automatically
• validate relevance to your environment (is anything talking to it?)
• deploy controls (DNS sinkhole, proxy block, firewall rules) with change governance

AI helps by deduplicating feeds, reducing false positives, and ranking what’s most urgent for your network.

5) Add compensating controls where patching is slow

If you can’t patch immediately (and sometimes you can’t), do the basics that actually reduce blast radius:

• segment management planes from user networks
• restrict admin access paths (jump hosts, conditional access)
• enforce MFA everywhere it’s relevant (and monitor bypass attempts)
• tighten egress from edge appliances (where possible)
• monitor for web shells and anomalous process execution on supporting hosts

This is where AI-driven SOC automation helps: it can push repeatable containment steps and open structured investigations without waiting for a human to notice the first breadcrumb.

“Could we be next?” A fast self-assessment for government and defense

Answer first: If you operate exposed edge services and your patch cycle is measured in weeks, you’re in the typical blast radius for RedNovember-style targeting.

Use this checklist in a 30-minute working session:

1. List your internet-facing edge services (VPN, firewall portals, load balancers, OWA).
2. Confirm version and last patch date for each.
3. Verify you collect logs (auth logs, admin actions, config changes, outbound connections).
4. Search for rare outbound destinations from edge devices over the last 30 days.
5. Pressure-test your PoC response: can you identify exposure and apply mitigations in 24–72 hours?

If any of these steps turn into a week-long email chain, that’s your signal: you need more automation and better ownership boundaries.

Where AI-driven threat intelligence fits in the bigger Defense & National Security story

RedNovember isn’t just another actor profile. It’s a case study in how modern espionage teams operate when the target set is global and the time-to-exploit is short.

AI in defense and national security is often framed as satellites, sensors, and decision advantage. Cyber defense belongs in that same frame. The side that can correlate more signals, faster, makes better decisions under pressure.

If you’re responsible for protecting government, defense, aerospace, or sensitive technology environments, the next step is straightforward: assess your edge exposure, modernize exploit-informed patching, and use AI to triage and correlate threat intelligence and telemetry into actions your team can execute.

What would change in your security posture if your patch prioritization and detection logic updated automatically within hours of a PoC going public?